Connection Problem
Guus Sliepen
guus at sliepen.warande.net
Thu Nov 22 10:56:57 CET 2001
On Wed, Nov 21, 2001 at 06:28:44PM -0800, Daniel Holden wrote:
> Result of "iptables -t nat -L -v" on ServerB:
>
> Chain PREROUTING (policy ACCEPT 4075 packets, 823K bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 DNAT tcp -- any any anywhere
> 209.1.1.0/24 tcp dpt:tinc to:192.168.1.253:655
This rule is not necessary.
> Chain POSTROUTING (policy ACCEPT 664 packets, 158K bytes)
> pkts bytes target prot opt in out source
> destination
> 348 24626 MASQUERADE all -- any eth0 anywhere
> anywhere
I think you better also specify eth2 as input device for this rule, to
avoid people from eth0 using you as a masquerader (unless you already
block this in the forwarding chaing).
> 0 0 ACCEPT all -- any any 209.1.1.0/24
> anywhere
Useless rule.
> Result of "iptables -L -v" on ServerB:
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 2 118 ACCEPT all -- any any mail.idsb.net
> anywhere
The above one also covers...
> 0 0 ACCEPT tcp -- any any mail.idsb.net
> 209.1.1.0/24 tcp dpt:tinc
> 0 0 ACCEPT udp -- any any mail.idsb.net
> 209.1.1.0/24 udp dpt:tinc
...these rules, so the latter are useless.
> Chain FORWARD (policy DROP 0 packets, 0 bytes)
> pkts bytes target prot opt in out source
> destination
> 0 0 ACCEPT all -- any eth0 office_vpn/24
> anywhere
> 0 0 ACCEPT all -- any any anywhere
> office_vpn/24
These rules cover the masqueraded traffic, but you forgot the VPN
traffic that has to be forwarded. So, add something like this:
iptables -A FORWARD -i office_vpn -o eth2 -j ACCEPT
iptables -A FORWARD -o office_vpn -i eth2 -j ACCEPT
If this doesn't help, resize your terminal to something that can hold
the output if iptables -L, and do the following:
watch -d -n 1 iptables -L -v -x
Then try to ping over the VPN. The rule which matches the VPN traffic
will light up.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus at sliepen.warande.net>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20011122/cf64b10f/attachment.pgp
More information about the Tinc
mailing list